Bu sayfa henüz yerel dilinizde mevcut değildir. Daha fazla dil seçeneği eklemek için yoğun bir şekilde çalışıyoruz. Desteğiniz için teşekkür ederiz.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Web Application Firewall/ Best Practices/ Website Access Configuration/ Connecting a Website Without a Proxy to WAF in CNAME Access Mode

Connecting a Website Without a Proxy to WAF in CNAME Access Mode

Updated on 2025-01-17 GMT+08:00

Application Scenarios

With the deepening of digital applications, web applications are widely used by most enterprises. Many web applications, such as enterprise websites, online shopping malls, and remote office systems, are publicly accessible. They are becoming major targets of hackers. According to historical data analysis, about 75% of information security attacks target web applications. In addition, web applications and components have more vulnerabilities than others. The critical Log4j vulnerability affected most web applications adversely.

This topic walks you through on how to add your website to WAF in cloud CNAME access mode when no proxies, such as anti-DDoS or CDN products, are used in front of WAF for your website.

Architecture

If your website is not added to WAF, DNS resolves your domain name to the IP address of the origin server. If your website is added to WAF, DNS resolves your domain name to the CNAME of WAF. In this way, the traffic passes through WAF. WAF inspects every traffic coming from the client and filters out malicious traffic.

Figure 1 No proxy used

Advantages

After you enable cloud WAF for your website, the website traffic goes through WAF first. WAF examines HTTP/HTTPS requests to identify and block attacks such as SQL injections, cross-site scripting, web shells, command/code injections, file inclusion, sensitive file access, third-party application vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery. Then, WAF forwards only legitimate traffic origin servers. In this way, WAF helps keep your website services secure and stable.

Resource and Cost Planning

Table 1 Resources and costs

Resource

Description

Monthly Fee

Web Application Firewall

Cloud - Standard edition

  • Billing mode: Yearly/Monthly
  • Number of domain names that can be protected: 10
  • QPS quota: 2,000 QPS
  • Peak bandwidth: 100 Mbit/s inside the cloud and 30 Mbit/s outside the cloud

For details about pricing rules, see Billing Description.

Step 1: Buy the Standard Edition Cloud WAF

  1. Log in to Huawei Cloud management console.
  2. On the management console page, choose Security & Compliance > Web Application Firewall.
  3. In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select Cloud Mode for WAF Mode.

    • Region: Select the region nearest to your services WAF will protect.
    • Edition: Select Standard.
    • Expansion Package and Required Duration: Set them based on site requirements.

  4. Confirm the product details and click Buy Now in the lower right corner of the page.
  5. Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
  6. On the payment page, select a payment method and pay for your order.

Step 2: Add Website Information to WAF

  1. In the navigation pane on the left, choose Website Settings.
  2. In the upper left corner of the website list, click Add Website.
  3. Select Cloud - CNAME and click Configure Now.
  4. Configure website information as prompted.

    Figure 2 Configuring basic information
    Table 2 Key parameters

    Parameter

    Description

    Example Value

    Domain Name

    Domain name you want to add to WAF.

    • The domain name has an ICP license.
    • You can enter a single domain name (for example, top-level domain name example.com or level-2 domain name www.example.com) or a wildcard domain name (*.example.com).

    www.example.com

    Protected Port

    The port over which the website service traffic goes

    Standard ports

    Server Configuration

    Web server address settings. You need to configure the client protocol, server protocol, server weights, server address, and server port.

    • Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS.
    • Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS.
    • Server Address: public IP address (generally corresponding to the A record configured for the domain name on the DNS) or domain name (generally corresponding to the CNAME record configured for the domain name on the DNS) of the web server that a client accesses.
    • Server Port: service port over which the WAF instance forwards client requests to the origin server.
    • Weight: Requests are distributed across backend origin servers based on the load balancing algorithm you select and the weight you assign to each server.

    Client Protocol: Select HTTP.

    Server Protocol: HTTP

    Server Address: IPv4 XXX.XXX.1.1

    Server Port: 80

    Use Layer-7 Proxy

    You need to configure whether you deploy other layer-7 proxies in front of WAF. Select No.

    No

  5. Click Next. Then, whitelist WAF back-to-source IP addresses and test WAF as prompted.

    Figure 3 Domain name added to WAF

Step 3: Complete CNAME Access

If the Type of the domain name host record added on DNS is CNAME - Map one domain to another, add the domain name to WAF by following the steps below.

The methods to change DNS records on different DNS platforms are similar. The following example is based on our Domain Name Service (DNS).

  1. Obtain the CNAME record.

    1. Click in the upper left corner of the management console and select a region or project.
    2. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
    3. In the navigation pane, choose Website Settings.
    4. In the Domain Name column, click the target domain name to go to the Basic Information page.
      Figure 4 Basic Information
    5. In the CNAME row, click to copy the CNAME record.

  2. Change the DNS settings.

    1. Access the DNS resolution page, as shown in Figure 5.
      Figure 5 DNS page
    2. In the Operation column of the target domain name, click Modify. The Modify Record Set page is displayed.
    3. In the displayed Modify Record Set dialog box, change the record.
      • Name: Domain name configured in WAF
      • Type: Select CNAME - Map one domain to another.
      • Line: Default
      • TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
      • Value: Change it to the copied CNAME value from WAF.
      • Keep other settings unchanged.
      NOTE:

      About modifying the resolution record:

      • The CNAME record must be unique for the same host record. The existing CNAME record must be changed to the WAF CNAME record.
      • Record sets of different types in the same zone may conflict with each other. For example, for the same host record, the CNAME record conflicts with another record, such as the A record, MX record, or TXT record. If the record type cannot be changed, you can delete the conflicting records and add a CNAME record. Deleting other records and adding a CNAME record should be completed in as short time as possible. If no CNAME record is added after the A record is deleted, domain resolution may fail.

      For details about the restrictions on domain name resolution types, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?

      Figure 6 Modifying a record set
    4. Click OK.

  3. (Optional) Ping the IP address of your domain name to check whether the new DNS settings take effect.

    NOTE:

    It takes some time for the new DNS settings to take effect. If ping fails, wait for 5 minutes and ping again.

Sitemizi ve deneyiminizi iyileştirmek için çerezleri kullanırız. Sitemizde tarama yapmaya devam ederek çerez politikamızı kabul etmiş olursunuz. Daha fazla bilgi edinin

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback